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Abstract. Metric Temporal Logic (MTL) is a prominent specification formalism for real- 
time systems. In this paper, we show that the satisfiability problem for MTL over finite 
timed words is decidable, with non-primitive recursive complexity. We also consider the 
model-checking problem for MTL: whether all words accepted by a given Alur-Dill timed 
automaton satisfy a given MTL formula. We show that this problem is decidable over finite 
words. Over infinite words, we show that model checking the safety fragment of MTL — 
which includes invariance and time-bounded response properties — is also decidable. These 
results are quite surprising in that they contradict various claims to the contrary that have 
appeared in the literature. 



In the linear-temporal-logic approach to verification, an execution of a system is mod- 
elled by a sequence of states or events. This representation abstracts away from the precise 
times of observations, retaining only their relative order. Such an approach is inadequate to 
express specifications of systems whose correct behaviour depends on quantitative timing 
requirements. To address this deficiency, much work has gone into adapting linear temporal 
logic to the real-time setting; see, e.g., [gdOdOlIHimEHEE]. 

Real-time logics feature explicit time references, typically by recording timestamps 
throughout computations. In this paper, we concentrate exclusively on the dense-time, 
or real-time, semantics, in which the timestamps are drawn from the set of real numberso 
An important distinction among real-time models is whether one adopts a state-based se- 
mantics [3 [211 E2] or an event-based semantics [HI [91 [THl IS LEI [35] • In the former, an 
execution of a system is modelled by a function that maps each point in time to the state 
propositions that are true at that moment. In the latter, one records only a countable 
sequence of events, corresponding to changes in the discrete state of the system. The dis- 
tinction between these two semantic models is discussed, among others, in [8], 118]. As we will 
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x By contrast, in discrete-time settings timestamps are usually integers, which yields more tractable the- 
ories that however correspond less closely to physical reality [191 [5]. 
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explain, the main results of this paper crucially depend on our adoption of the event-based 
model. 

One of the earliest and most popular proposals for extending temporal logic to the 
real-time setting is to replace the temporal operators by time-constrained versions — see [8] 
and the references therein. Metric Temporal Logic (MTL), introduced fifteen years ago 
by Koymans [24], is a prominent and successful instance of this approach^ MTL extends 
Linear Temporal Logic by constraining the temporal operators by (bounded or unbounded) 
intervals of the real numbers. For example, the formula ^[3,4] f means that ip will hold 
within 3 to 4 time units from now. 

Unfortunately, over the state-based semantics, the satisfiability and model-checking 
problems for MTL are undecidable [16]. This has led some researchers to consider var- 
ious restrictions on MTL to recover decidability; see, e.g., [6j El HU [35]. Undecidability 
arises from the fact that MTL formulas can capture the computations of a Turing machine: 
configurations of the machine can be encoded within a single unit-duration time interval, 
since the density of time can accommodate arbitrarily large amounts of information. An 
MTL formula can then specify that configurations be accurately propagated from one time 
interval to the next, in such a way that the timed words satisfying the formula correspond 
precisely to the halting computations of the Turing machine. 

It turns out that the key ingredient required for this procedure to go through is punc- 
tuality: the ability to specify that a particular event is always followed exactly one time 
unit later by another one: n(p — » = i q). It has in fact been claimed that, in the state- 
based and the event-based semantics alike, any logic strong enough to express the above 
requirement will automatically be undecidable — see [U [TBI [20] , among others. While the 
claim is correct over the state-based semantics, we show in this paper that it is erroneous 
in the event-based semantics. Indeed, we show that both satisfiability and model checking 
for MTL over finite timed words are decidable, albeit with non-primitive recursive complex- 
ity. Over infinite words, we show that model checking the safety fragment of MTL — which 
includes invariance and punctual time-bounded response properties — is also decidable. 

Upon careful analysis, one sees that the undecidability argument breaks down because, 
over the event-based semantics, MTL is only able to encode faulty Turing machines, that is, 
Turing machines suffering from insertion errors: while the formula o(p <-> ^>=i q) ensures 
that every p is followed exactly one time unit later by a q, there might be some g's that 
were not preceded one time unit earlier by a p (indeed, by any event at all). Intuitively, 
this problem does not occur over the state-based semantics because there the system is 
assumed to be under observation at all instants in time, and therefore any insertion error 
will automatically be detected thanks to the above formula. 

MTL is also genuinely undecidable over the event-based semantics if in addition past 
temporal operators are allowed [9j[T6]. Indeed, in this setting insertion errors can be detected 
by going backwards in time, and MTL formulas are therefore able to precisely capture the 
computations of perfect Turing machines H 

The decidability results that we present in this paper are obtained by translating MTL 
formulas into timed alternating automata. These generalise Alur-Dill timed automata, and, 
unlike the latter, are closed under complementation. Building on some of our previous 
work [28j, using the theory of well-structured transition systems, we show that the language 

2 As of early 2006, http://scholar.google.com lists over three hundred and fifty papers on the subject! 
^The original undecidability proof in [5] was carried out in a monadic first-order theory of timed words, 
which subsumes both forward and past temporal operators. 
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emptiness problem for one-clock timed alternating automata over finite timed words is 
decidable, which then entails the decidability of MTL satisfiability over finite timed words. 
We furthermore show how to extend these results to the model-checking problems discussed 
earlier. In addition, we show that MTL formulas can capture the computations of insertion 
channel machines; then, using a result of Schnoebelen about the complexity of reachability 
for lossy channel machines [33], we give a non-recursive primitive lower bound for the 
complexity of MTL satisfiability. 

1.1. Related Work. Existing decidability results for MTL involve placing restrictions on 
the semantics or the syntax of the logic to circumvent the problem of punctuality. Alur and 
Henzinger [9j showed that the satisfiability and model-checking problems for MTL relative 
to a discrete-time semantics are EXPSPACE-complete. Alur, Feder, and Henzinger [6j \7\ 
introduced Metric Interval Temporal Logic (MITL) as a fragment of MTL in which the 
temporal operators may only be constrained by nonsingular intervals. They showed that 
the satisfiability and model-checking problems for MITL relative to a dense-time semantics 
are also EXPSPACE-complete. Wilke [35] considered MTL over a dense-time semantics 
with bounded variability, i.e., the semantics is parameterised by a bound k on the number 
of events per unit time interval. He showed that the satisfiability problem is decidable in 
this semantics and that MTL with existential quantification over propositions is equally 
expressive as Alur-Dill timed automata. 

A notion of timed alternating automaton very similar to the one considered here has 
recently and independently been introduced by Lasota and Walukiewicz |25j . They also 
prove that the finite-word language emptiness problem is decidable for one-clock timed 
alternating automata, and likewise establish a non-primitive recursive complexity bound 
for this procedure. However they do not consider any questions related to MTL, or timed 
logics in general. 

A class of timed alternating tree automata has been defined by Dickhofer and Wilke [H] 
in the context of model checking a real-time version of Computation Tree Logic, called 
TCTL. The language-emptiness problem for these automata is undecidable in general. 
However, TCTL model checking reduces to a special case of language emptiness, which is 
shown in [14J to be decidable using Alur and Dill's clock regions construction. In contrast, 
bounded-dimension clock regions do not suffice in the present paper: we combine clock 
regions with the notion of well-quasi-orders. 

Another closely related paper is that of Abdulla and Jonsson [4] on networks of one- 
clock timed processes. This has a similar flavour to the work presented here in that it uses 
abstractions based on clock regions and also Higman's Lemma. The problems they study 
are however very different from the ones considered in this paper. 

All the decidability results presented in this paper concern timed alternating automata 
over finite timed words, including the results that are ostensibly about infinite timed words. 
In particular, our model-checking procedure for the safety fragment of MTL over infinite 
timed words depends on the fact that any infinite timed word violating a safety property 
has a finite bad prefix, that is, a finite prefix none of whose extensions satisfies the property. 
Since writing the extended abstract of this paper [29J, we have obtained some positive and 
negative decidability results about the language emptiness problem for timed alternating 
automata over infinite words. We discuss these results in the conclusion, Section [9j 
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2. Timed Words and Timed Automata 

A time sequence r = T1T2T3 ... is a non-empty finite or infinite sequence of time values 
Tj € M>o satisfying the following constraints (where |r| denotes the length of r): 

• monotonicity: n < Tj + i for all i such that 1 < i < |r| 

• progress: if r is infinite, then {r, : i > 1} is unbounded. 

A timed word over finite alphabet E is a pair p = (a, r), where a = oxaia^, ... is a non-empty 
finite or infinite word over E and r is a time sequence of the same length as a. We also rep- 
resent a timed word as a sequence of timed events by writing p = (01, ti)((T2, T2)(o"3, T3) . . .. 
Given a timed word p = (a, r) and n < |p|, let p[l . . . n] denote the prefix (eri, ti) . . . (o- n ,T n ). 
Finally, write TE* for the set of finite timed words over alphabet E, and TE W for the set 
of infinite timed words over E. 

The requirement that infinite timed words be progressive is sometimes called non- 
Zenoness or finite variability. It is equivalent to the requirement that an infinite number of 
events not occur in a finite amount of time. Note however that, unlike [35], we place no a 
priori bound on the number of events that can occur in a time interval of unit duration. 

2.1. Timed Automata. Definition 12.11 recalls the standard notion of a timed automa- 
ton [5]. Elsewhere in this paper we refer to the timed automata defined below as Alur-Dill 
automata. This is to distinguish them from the more general class of timed alternating 
automata, which we introduce in Section [3] and which is our primary focus. 

Let X = {xi, . . . ,x n } be a finite set of clock variables. Define the set &x of clock 
constraints over X by the grammar 

ip ::= true | x 1x1 c j ip\ A 922 > 

where c 6 N is a non-negative integer, and txi € {<, <, >, >}. 

Definition 2.1. A timed automaton is a tuple A = (E, S, so, F, X, A), where 

• E is a finite alphabet of events 

• S is a finite set of locations 

• so £ S is an initial location 

• F C S is a set of accepting locations 

• X is a finite set of clock variables 

• ACSxExSx §x x 2 X is a finite set of edges. An edge (s, a, s', ip, R) denotes an 
a-labelled transition from s to s', with precondition (p, and with the postcondition 
that all clocks in R are reset to zero while all other clocks remain unchanged. 

Given a timed automaton A, let c max be the maximum constant appearing in a clock 
constraint in A. The set of clock values appropriate to A is defined to be Val = [0, c max ] U 
{T}, where T represents any clock value strictly greater than c max . T satisfies the expected 
arithmetic and order-theoretic properties: if v G [0, c max ] and t £ R + are such that v +t>c max 
then we write v + 1 = _L; we also define T + 1 = T for all t E M>o; finally, we define T > v 
for all v G ValQ A clock valuation of A is a vector v = (v±, . . . ,v n ), where V{ £ Val gives 
the value of clock X{. If t € M>o, we let v + 1 be the clock valuation whose i-th component 
is Vi + 1. A state of A is a pair (s, v), where s £ 5 is a location and v is a clock valuation. 
Write Q = S x VaT for the set of states of A. 

^Identifying all clock values strictly greater than c max is harmless since such values are indistinguishable 
by clock constraints. Moreover this identification will later turn out to be technically advantageous. 
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Automaton A induces a labelled transition system = (Q,-~>, — ►) on the set of states, 
where -^CQx M>o X Q is called the delay-step relation, and — ► C Q x S x Q is called 
the discrete-step relation. Delay steps model the evolution of time while the automaton 
remains in a given location, while discrete steps correspond to instantaneous transitions 
between locations. The delay-step transition relation is deterministic, and is defined by 
(s, v) (s, v + t), where t G M>o- The discrete-step relation is defined by (s, v) (s', v') 
iff there is an edge (s,a,s',<p,R) € A such that v satisfies <p, v[ = for all Xi £ R and 
= Vi for all Xj £ -R. 

Let /9 = (a, r) be a timed word, and write di = Ti — Tj_i for the time delay between the 
(i — l)th and ith events of p, where 1 < i < |p|, and, by convention, tq = 0. Define a ran 
of .A on p to be an alternating sequence of time delays and discrete steps in Tj±: 

(S ,V ) ~» (Sl, Vi) >■ (s 2 , V 2 ) ~^ (S3, V 3 J > • • • ~» (S2n-l,V 2n -l) >••••, 

where sq is the initial location and vo maps every clock variable to 0. 

A finite run is accepting if the last location in the run is accepting. An infinite run is 
accepting if infinitely many control states in the run are accepting. We write L f (A) for the 
set of finite timed words over which A has an accepting run, and we write L W (A) for the 
set of infinite timed words over which A has an accepting run. 

3. Timed Alternating Automata 

In this section we define timed alternating automata. These arise by extending alternat- 
ing automata \13\ I34j with clock variables, in much the same way that Alur-Dill timed 
automata extend nondeterministic finite automata. A similar notion has independently 
been investigated by Lasota and Walukiewicz in a recent paper [25J. It will soon become 
apparent that timed alternating automata strictly generalise Alur-Dill automata. However 
we chose to introduce Alur-Dill automata separately, in Section [H since by so doing we 
can avoid considering timed alternating automata with Biichi acceptance conditions. (This 
greatly simplifies the definition of a run of an alternating automaton because we can elide 
the tree structure — see below.) 

Timed alternating automata can in general be defined to have any number of clocks. 
Our goal, however, is to use them to represent metric temporal logic formulas, for which 
one clock suffices. Accordingly, we shall exclusively focus on one-clock timed alternating 
automata in this paperj^ In this section we only consider timed alternating automata over 
finite timed words. 

3.1. One-clock Timed Alternating Automata. Let S be a finite set of locations and 
let x be a distinguished clock variable. We define a set of formulas &(S) by the grammar: 

<p ::= true | false | ip\ A y?2 | ¥>i V f2 \ s \ x 00 c | x.(f , 

where c £ H, M £ {<, <, >, >}, and s G S. A term of the form x XI c is called a clock 
constraint, whereas the expression x.cp is a binding construct corresponding to the operation 
of resetting the clock x to 0. 



We note in passing that virtually all decision problems, and in particular language emptiness, are 
undecidable for timed alternating automata that have more than one clock; cf. Section!?] 
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In the definition of a timed alternating automaton, below, the transition function maps 
each location s € S and event a € E to an expression in &(S). Thus alternating au- 
tomata allow two modes of branching: existential branching, represented by disjunction, 
and universal branching, represented by conjunction. 

Definition 3.1. A timed alternating automaton is a tuple A = (E, S, so, F, 5), where 

• E is a finite alphabet 

• S is a finite set of locations 

• so £ S is the initial location 

• F C S is a set of accepting locations 

• i:5xS^ ^(S) is the transition function. 

The notion of a run of a timed alternating automaton, defined below, is somewhat 
involved, so we first give an example. 

Example 3.2. We define an automaton A over the singleton alphabet S = {a} that 
accepts all those finite timed words in which no two events are separated by exactly one 
time unit. This language is known not to be expressible as the language of an Alur-Dill timed 
automaton [22]. The required timed alternating automaton has set of locations {so,si}, 
with so initial, and both so and s± accepting. The transition function is defined by: 

S(so, a) = so A x.s\ 

5(s\,a) = si A x ^ 1 . 

A run of A starts in location so- Every time an a-event occurs, the automaton makes a 
conjunctive transition to both so and si, thus opening up a new thread of computation. 
The automaton resets a fresh copy of clock x whenever it transitions from location so to s\, 
and the transition rule for si ensures that no event can happen when the value of this clock 
equals one. Every run of this automaton is accepting, since every location is accepting, but 
there is no run over any word in which two events are separated by exactly one time unit. 

We now proceed to the formal definitions. Let c max be the maximum constant men- 
tioned in the definition of the transition function of A, and, as with Alur-Dill automata, 
define the set of clock values relevant to A to be Val = [0, c max ] U {T}. A state of A is a 
pair (s,v), where s € S is a location and v € Val is a clock valuation. Write Q = S x Val 
for the set of all states of A. 

A set of states M C Q and a clock valuation v 6 Val defines a Boolean valuation on 
$(5*) as follows: 

• M \= v true 

• M \= v ipi A (f2 if M \= v (pi and M \= v (p 2 

• M \= v ipi V tp 2 if M \= v (fi or M \= v ip 2 

• M \= v s if {s,v) G M 

• M \= v x CO c if v cxi c 

• M (=„ x.ip if M H) ¥?• 

We say that a set of states M is a minimal model of a formula (p G &(S) with respect to 
clock value v 6 Val if M \= v (p and there is no proper subset M' C M with M' \= v 

^Our use of minimal models here is a technical convenience, since, as we will see later, the minimal models 
of formula ip can be directly related to the syntactic structure of (p when the latter is given in disjunctive 
normal form. 
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Example 3.3. The minimal models of ip = x.so A (si V S2) with respect to the clock value 
v = 1.2 are {(so, 0), (si, 1.2)} and {(s , 0), (s 2 , 1.2)}. 

A configuration of A is a finite set of states; thus the set of configurations is the finite 
powerset of the set Q of states, and is denoted p(Q). The initial configuration is {(so>0)} 
and a configuration is accepting if every location that it contains is accepting. Note in 
particular that the empty configuration is accepting. Given a configuration C and a time 
delay t > 0, denote by C + t the configuration {(s, v + t) : (s, f ) € C}. 

The language accepted by a timed alternating automaton over finite words can be 
described in terms of a transition system of configurations, defined below. 

Definition 3.4. Given a timed alternating automaton A, we define the labelled transition 
system 7^4 = (p(Q),~», — ►) over the set of configurations as follows. The (M>o)-labelled 
transition relation ~^ C p{Q) x M>o x p(Q) captures time evolutions, or delay steps, and is 

defined by C & C iff C = C + t. 

The S-labelled transition relation — ► C p{Q) xEx p(Q) captures instantaneous tran- 
sitions between locations, or discrete steps. Let C = {(s^ttj)}^/. We include a transition 
C — — > C" iff one can write C" = IJie/ wnere ) for each i E I, Mi is a minimal model of 
5(si,a) with respect to Uj. 

Let p = (cr, r) be a finite timed word with \p\ = n, and write d{ = Ti—Ti_\ for 1 < i < \p\, 
where, by convention, tq = 0. Define a run of A on /j to be a finite alternating sequence of 
time delays and discrete steps in T4: 

„ di „ (7i „ d,2 ^ <X2 d n „ cr„ „ 
Co ~^ Cl > L-2 ~^ L-3 ' ' ' ~* C2n-1 > C2n , 

where Co is the initial configuration. We say that the run is accepting if the last configuration 
Cm is accepting, and we say that the timed word p is accepted by A if there is some accepting 
run of A on p. We write Lf{A) C TE* for the language of finite timed words accepted by 

aE 

Example 3.5. A time-bounded response property such as 'for every a-event there is a 
6-event exactly one time unit later' can be expressed by the following automaton. Let A 
have two locations {so,si} with sq the initial and only accepting location, and transition 
function 5 given by the following table: 





a 


b 


so 


so A x.s\ 


so 


si 


si 


(x = 1) V si 



Location sq represents an invariant, and is present in every configuration in any run of A. 
When an a-event occurs, the conjunction in the definition of S(sq, a) results in the creation 
of a new thread of computation, starting in location s%. Since this location is not accepting, 
the automaton must eventually leave it. This is only possible if a 6-event happens exactly 
one time unit after the new thread was spawned. 



It is usual to define a run of an alternating automaton to be a tree of states. However, over finite words 
the branching structure plays no role in the definition of acceptance, and we simply define a run to be a 
sequence of configurations, where each configuration represents a given level of the run tree. 
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3.2. Duality and Complementation. The following derivation shows that the class of 
languages definable by timed alternating automata is closed under complement. Since 
it is straightforward to show that this class is also closed under union, timed alternating 
automata are closed under all Boolean operations. The arguments presented here are similar 
to the untimed case [HI [13] . 

Given ip £ &(S), we define the dual formula Tp £ &(S) as follows. The dual of a 
clock constraint is its negation (e.g., x < k = x > k), whereas each location is self-dual: 
~s = s for s £ S. For the propositional connectives we have the usual de Morgan dualities: 
true = false, false = true, ip\ V ip2 = ~*p7 ATp~2 and <p>\ A ip2 = ^IVp2. Finally, clock resets 
distribute through the duality operator: xlp = x.Zp. 

Let A = (£, S, so, F, 5) be an alternating timed automaton, and denote by Q its set 
of states. The complement automaton A c is defined by A c = (T,,S,sq,S \ F,5), where 
<5(s, a) = 5(s,a) for each s £ S and a £ S. Thus we take the dual transition function and 
the complement of the set of accepting locations. 

Proposition 3.6. Let ip £ &(S) be a formula over set of locations S and let v £ Val be a 

clock valuation. Given a set of states P C Q we have P \= v ip iff Q\P \/= v Tp. 

Proof. The proof is by structural induction on <p, and is straightforward from the definition 
of Tp. □ 

Proposition 3.7. L f (A)nL f (A c ) = 0. 

Proof. Suppose that both A and A c have runs on the same timed word p = (a, t), with 
|p| = n. Denote the run of A by 

„ dl „ (71 „ d% „ (72 d n „ 0" n ^~, 

Go Oi ► C/2 ~^ U3 > • • • -w U2n-1 * ^2n , 

and denote the run of A c by 

n 4 n °"i n ^ 2 n °"2 d n CT n n 
L» ~^ L>i > i>» 2 -w D 3 > ■ ■ ■ ~> L> 2n -1 > -^2n ■ 

We show by induction on i < 2n that Cj n -Dj is non-empty. In particular, we deduce that 
C2n and L>2n meet, so the two runs cannot both be accepting since A and A c have disjoint 
sets of accepting states. 

The base case of the induction is just the observation that Co = Dq = {(so,0)}. For 
the induction step, suppose that (s,v) £ C% n -Di. In case i = 2j is even, that is, the next 
transition is a time delay, then (s, v + dj + \) £ C«+i PI -Di+i- In case i = 2j + 1 is odd, that 
is, the next transition is a discrete step, then Cj+i [=„ <5(s, ctj+i) and Dj + i \= v 5(s,aj+i). 
It follows from Proposition 13.61 that Cj+i and -Dj+i are not disjoint. This completes the 
induction step. □ 

Proposition 3.8. L f (A) UL f (A c ) = TS*. 

Proof. We claim that, given a finite timed word p = (a, r) and a set of states PCQ, either 
A has a run on p whose last configuration is a subset of P, or A c has a run on p whose last 
configuration is a subset of Q \ P. The proposition follows from the claim by taking P to 
be the set of states in A whose underlying location is accepting. 

We prove the claim by induction on \p\ as follows. Let p = (a, r) and P C Q be given 
as in the claim, with \p\ = n + 1. Also, let d n +i = T n +i — r n and write 

pred(P) = {(s, v) eQ : P \= v +d n+1 S(s, a n+ i)} . 
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Observe also that by Proposition 13.61 

Q \ pred(P) = {{s, v) G Q : P \£ v+dn+1 S(s, a n+1 )} 

= {(a, v) G Q : Q \ P K+cWr S(s, a n+1 )} . (3.1) 

By induction, either A has a run on p[l ...n] whose last configuration C is a subset of 
pred(P), or A c has a run on p[l . . . n] whose last configuration D is a subset of Q\pred(P). 
In the former case, it is immediate that we can extend the given run of A into a run on p. 
Indeed, since C C pred(P), for each (s,v) G C we can choose a finite subset of P that is 
a minimal model of S(s,a n+ i) with respect to clock value v + d n+ \. In the latter case, in 
similar fashion, it follows from (13. ip that A c has a run on p whose last configuration is a 
subset of Q \ P. □ 

Corollary 3.9. The class of languages definable by timed alternating automata is effectively 
closed under all Boolean operations. 



4. Decidability of Language Emptiness 

It is well known that the universality problem for Alur-Dill timed automata is un- 
decidable [5J. In fact the proof in [5] shows undecidability for the subclass of Alur-Dill 
automata with at most two clocks. Since the class of timed alternating automata is closed 
under complement and includes the class of Alur-Dill automata, it immediately follows that 
the language-emptiness problem for two-clock timed alternating automata is undecidable. 
However we show in this section that if we restrict to alternating automata with a single 
clock, then language emptiness is decidable. The decision procedure that we present is a 
generalisation of the algorithm for deciding universality for one-clock Alur-Dill automata 
that appeared in the extended abstract [28] . 

In the remainder of this section we assume that A = (£, S, sq,S, F) is a one-clock 
alternating automaton, and we denote by Q the set of states of this automaton. The 
language-emptiness problem for A is equivalent to the following reachability question on 
the derived transition system T4: 'Is there a path from the initial configuration to an 
accepting configuration?'. However it is not immediate how to decide this question since 
T4 has uncountably many states: indeed each state has uncountably many successors under 
the delay-step relation. 

4.1. The Bisimulation Lemma. In this section we isolate a sub-transition-system of 7^4, 
denoted VV4, that is effective and is, in a certain sense, bisimilar to In particular, W4 
has only countably many states and is finitely branching. Moreover the state space of VVU 
possesses an effective well-quasi-order, which we use to prove termination of our reachability 
algorithm. 

Recall that the set of clock values relevant to A is Val = [0,c max ] U {T}. Define the 
fractional part of v G Val \ {T} by frac(v) = v — [v\ (where [-J denotes the floor function). 
It is also technically convenient to define frac(T) = 0. 

^In the extended abstract of this paper WU was described as a quotient of T4, akin to the clock-region 
quotient of an Alur-Dill automaton. However in our opinion the technical details are more straightforward 
under the present approach. 
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Definition 4.1 (Clock Regions). Define an equivalence relation ~ on the set of clock 
values Val by u ~ v if either m,u = T, or u,t) / T, \u] = \v~\ and |_^J = [v\ (where 
[*•] denotes ceiling). The corresponding set of equivalence classes, or regions, is REG = 
{r , ri, . . . , r 2Cmax+ i}, where r 2i = {i} for % < c max , r 2i+ i = + 1) for i < c max , and 
r 2c max +i = {T}. Let reg(v) denote the equivalence class of v G Val. 

The intuition behind the transition system VV4 is that we can ignore those time delays 
in T4 that leave unchanged the regions of the clock values in a configuration. We only 
consider time delays that take a configuration to its time successor: 

Definition 4.2. Let C C Q be an ^.-configuration. If C is non-empty then define /x = 
m&x{frac(v ) : (s, v) G C} to be the maximum fractional part of the clock values appearing 
in C. Now define the time successor of C to be the configuration next(C) given by the 
following clauses: 

• if C = then next(C) = C 

• if (s, u)eC for some integer clock value v G [0, c max ] then next(C) = C + (1 — /i)/2 

• if neither of the above cases hold then next(C) = C + (1 — //). 

Example 4.3. Suppose that the maximum constant appearing in A is c max = 3. Consider 
a configuration C = {(s, 1.25), (t, 2.5), (s, 0.75)}. Then nexi(C) = {(a, 1.5), (t, 2.75), (s, 1)} 
(in which time has advanced by 0.25 units, and the clock value in C with largest fractional 
part has moved to a new region while all other clock values remain in the same regions). 
On the other hand, if C = {(s, 1), (t, 0.5)}, then next{C) = {(s, 1.25), (t, 0.75)} (in which 
the clock value in C with fractional part zero moves to a new region, while all other clock 
values remain in the same regions). Finally, the time successor of C = {(s, 0.5), (t, 3)} is 
{(a,0.75),(i,T)}. 

Definition 4.4. Define the labelled transition system as follows. 

• Alphabet. The alphabet of VVU is S U {e}. 

• States. The states of are those ^.-configurations C C Q in which all clock 
values are rational (henceforth call such configurations rational). 

• Transitions. Each state C has a unique e-transition to its time successor next(C). 
For a G S, we postulate that C C" in W4 if C C" in T A . 

Thus W^4 differs from T4 in containing only rational configurations and retaining only 
those delay steps between a configuration and its time successor (renaming these as e- 
transitions). Next we show that W^4 and T4 are bisimilar in a certain sense. To this end, 
we first reexamine the notion of the minimal model of a formula ip G &(S) over the set of 
locations 5 of A (cf . Section [3|) . 

Any formula ip G $(S) can be written in disjunctive normal form ip = \J j eJ /\Aj, 
where each Aj is a set of terms of the form s, x.s, and x XI c (which we call atoms). The 
minimal models of (p can be read off from the disjunctive normal form as follows. For a 
set of atoms A and a clock valuation v G Val, let A[v] C Q be the set of states given by 
A[v] = {(s,v) : s G ^4} U {(s,0) : x.s G A}. Then each minimal model M of ip with respect 
to v has the form M = Aj[v], for some j G J, where f satisfies all the clock constraints in 
A r 

Example 4.5. For the formula <p = x.sq A (s\ V s 2 ) from Example 13.31 the equivalent 
disjunctive normal form is (x.sq A s\) V (x.sq A S2). Then the two minimal models of ip with 
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respect to the clock value v G Val are (x.so A si)[v] = {(so,0), (si,v)} and (x.so A S2)[v] = 
{(■so,0), (si,v)}. 

Definition 4.6. Define the relation = C p(Q) x p(Q) by C = C iff there is a bijection 
/: C — ► C such that: (i) f(s,u) = (t,u') implies s = t and u ~ u'; (ii) if f(s,u) = (s,u') 
and f(t,v) = (t,v'), then frac(u) < frac(v) implies frac(u') < frac(v'). 

Lemma 4.7 (Bisimulation Lemma). Suppose that C and D are A- configurations such that 
C = D. Then for each transition C -^-> C , with q£EU {e}, there exists a configuration 
D' and a transition D D' such that C = D' . 

Proof. Write C = {(si,Ui)} ie i and D = {(ti,Vi)} ieI , and let /: C — > D, given by f(si,Ui) = 
(ti,Vi), be the bijection witnessing C = D. 

Matching T^-labelled transitions. Suppose C makes a transition C — C" for some 
a G X. By the above considerations on minimal models, we know that C = Uiei" ^[^h 
where, for each i <G /, the set of atoms Ai is a clause in the disjunctive normal form 
expression for S(si,a). Writing D' = Uje/^bi]' we have D — Z)'. (Here we rely on the 
fact that n« ~ Vj, so that Uj and Vi satisfy the same clock constraints.) Now the set of clock 
values appearing in C is a subset of {ui : i G 1} U {0} since ^-labelled transitions either 
leave clocks unchanged or reset them to 0. Thus C = D' since we can define a bijection 
/' : C' -> D' by f(s, Ui ) = (s, Vi) if (s, Ui ) G C" and f'(s, 0) = (s, 0) if (s, 0) G C". 

Matching e -transitions. Since each configuration makes a unique e-transition to its 
time successor, we need only show that next(C) = next(D). Now next(C) has the form 
{(sj,^)}i g /, where, for some time delay t > 0, u\ = Ui + 1; similarly next(D) has the form 
{(tj, ^)}j S /, where, for some time delay i' > 0, v\ = V{ + 1'. The effect of the time delay t on 
C is either to leave the order of the fractional parts of the clocks unchanged or to cyclically 
permute the order by one place so that the clock with greatest fractional part in C has zero 
fractional part in next{C). A similar statement holds for D. In any case, we have u\ ~ 
for each i £ J, and the bijection /' : next(C) — > next(D) defined by /'(sj,u^) = (tj,i^) 
witnesses next(C) = next(D). □ 

F* F 

Let — ► denote the reflexive transitive closure of the relation — ►. The following simple 
corollary of the Bisimulation Lemma shows that, up to =-equi valence, there is no loss in 
expressiveness in replacing the delay-step transition relation with — ►. 

Corollary 4.8. Suppose that C, D C Q are A- configurations such that C = D. Then for 
any time delay C C there exists a configuration D' , with D -^-> D' and C = D' . 

Proof. Observe that C C implies that C = next n (C) for some n > 0. From the 
Bisimulation Lemma we get that next n {C) = next n (D). The proposition follows by taking 
D' = next n (D). □ 

Proposition 4.9. If configuration C is reachable from the initial configuration Co in Xa, 
then there is a rational configuration C , with C = C , such that C is reachable from Co in 
Wa- 

Proof. Given a path Co ^ C\ — L -> C2 ~^ C3 • • • Cm in Xa, we generate, step by 
step, a 'matching' path of rational configurations in WU 

cq > c x > c 2 > c 3 > ■ ■ ■ > c 2n 
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such that G% = C[ for < % < 2n. Given C[ = d, if i is odd we use the Bisimulation Lemma 
to generate the next configuration C' i+1 , and if i is even we use Corollary 14.81 to generate 

cUi- ' □ 

We have now reduced the language-emptiness problem for A to the following reach- 
ability question for VV4: 'Is there a path from the initial configuration to an accepting 
configuration?'. Although Wj. is simpler than T4, it still has infinitely many states (in- 
deed, even the quotient of VV4 by = is infinite-state, since = only relates configurations 
of the same cardinality). We circumvent this problem by exhibiting a well- quasi- order on 
the state space of W4. This serves in lieu of finiteness to guarantee the termination of 
a state-exploration algorithm that computes a conservative over-approximation of the set 
of reachable states. This is described in the next subsection in terms of the theory of 
well-structured transition systems |15j . 



4.2. Well-quasi-orders. Recall that a quasi-order (W, C) consists of a set W together 
with a reflexive, transitive relation C. An infinite sequence 101,102,103,... in (W, C) is said 
to be saturating if there exist indices % < j such that io, C Wj. (W, Q) is a well- quasi- order 
(wqo) if every infinite sequence in (W, C) is saturating. 

We can extend a quasi-order (W, E) to a quasi-order (W*, C) on the set of finite words 
over alphabet W as follows. Define uq . . . w m C v\ . . . v n if there exists a strictly increasing 
function /: {1 . . . to} — > {1, . . . , n} such that W{ C for all i € {1, ... , to}. The induced 
order on VF* is known as the monotone domination order. 

Lemma 4.10 (Higman's Lemma |23j). If (W, C) is a logo t/ien (W*, C) is a/so a logo. 

Next we use Higman's Lemma to construct a well-quasi-order on the state space of the 
transition system W^. The first step is to define a class of abstract configurations, which 
are intended as canonical representatives of =-equivalence classes of configurations. 

Definition 4.11. An abstract configuration of the automaton A is a finite word over the 
alphabet A of finite non-empty subsets of S x REG, where S is the set of locations of A 
and REG is the set of regions. 

Roughly speaking, each (concrete) .4-configuration C gives rise to an abstract con- 
figuration as follows. First, C is converted from a set to a list by ordering its elements 
according to the fractional part of their clock values. Then each clock value is replaced by 
the region it lies in. Formally, define an abstraction function H : p(Q) — > A*, yielding an 
abstract configuration H{C) for each configuration C as follows. First, lift the function reg 
to configurations by reg{C) = {{s, reg{v)) : (s,v) € C}. Now given a configuration C, par- 
tition C into a sequence of non-empty subsets C\, . . . , C n , such that for all (s, v) G Cj and 
{t, v') E Cj, frac{y) < frac(v') iff i < j (so (s, v) and (t, v') are in the same block Cj iff v and 
v' have the same fractional part). Then define H{C) = reg{C\)reg{C2) . . . reg(C n ) € A*. 

Example 4.12. Consider the automaton A from Example 13.21 The maximum clock con- 
stant appearing in A is 1, thus the corresponding regions are ro = {0}, iq = (0, 1), r2 = {1} 
and r3 = {T}. Given a concrete configuration C = {(s, 1), (t, 0.4), (s, 1.4), (t, 0.8)}, the 
corresponding abstract configuration H{C) is the word {(s, r2), (s, ^3)} {(t, iq)} {(t, iq)}. 

The key fact about the abstraction function H , which is immediate from its definition, 
is that its kernel is the equivalence on configurations described in Definition 14.61 
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Proposition 4.13. Given A- configurations C and D, C = D iff H(C) = H{D). 

Returning to Definition 14.111 notice that A, being finite, is trivially a wqo under the 
subset order. It follows from Lemma 14. 101 that the set of abstract configurations is a wqo 
under the monotone domination order. Taking stock, we have defined a class of abstract 
configurations that is the quotient of the set of ^-configurations with respect to =, and 
which carries a natural well-quasi-order. Next we show how to exploit this structure. 

4.3. Well-Structured Transition Systems. The notion of well- structured transition sys- 
tem ( wsts ) provides a uniform framework for expressing decidability results about a variety 
of infinite-state systems, including Petri nets, broadcast protocols and lossy channel sys- 
tems [HE)]- Definition 14.141 presents a particular variant, called a downward wsts in [15]. 

Definition 4.14. A well-structured transition system is a triple W = (W,=4, — >), where 
(W, — ►) is a finitely-branching (unlabelled) transition system equipped with a wqo =^ such 
that: 

• is a decidable relation 

• Succ(w) := {«/ : w — > w'} is computable for each w € W 

• ^ is downward- compatible: if w, v G W with w ^ v, then for any transition v — ► v' 
there exists a matching sequence of transitions w ( — ►)* w' with w' =4 v'. 

Note that downwards compatibility allows a single transition of v to be matched by zero or 
more transitions of w. 

Theorem 4.15. [T5J Theorem 5.5] Let W = (W,^, — ►) be a wsts. Let V C W be a 
downward- closed (i.e. v' =4 v and v E V imply v' € V) decidable subset ofW. Then, given 
a state u 6 W , it is decidable whether there is a sequence of transitions starting at u and 
ending in V . 

We now seek to apply Theorem 14.151 to the case at hand. 

Proposition 4.16. The transition system VV4 is a wsts (after forgetting the labels on the 
transitions). 

Proof. Define a quasi-order on the set of ^-configurations by C =^ D iff H{C) C H(D), i.e., 
the word H{C) corresponding to C is dominated by the word H(D) corresponding to D. 
It is straightforward to see that ^ inherits the property of being a well-quasi-order from 
C. Moreover ^ is a decidable relation on rational configurations, since H is computable on 
rational configurations and C is decidable. 

It remains to prove that ^ is downward compatible. Now suppose that C ^ D and 
that there is a transition D — * D' . We show how to produce a matching sequence of 
transitions for C. To this end, it is helpful to first observe that C ^ D implies that there 
is a configuration Dq C D with C = Dq. We now consider two cases according to whether 
the transition D — * D' arises from a S-labelled transition or an e-labelled transition. 

Yj-labelled transitions. Suppose that D — D' for some a £ S. Since Dq C D and since 
the successors of a configuration under discrete steps are computed pointwise (cf. Definition 
I3.4|) . there is a configuration Dq C D' with Dq — — > D' Q . Now C = Dq, so the Bisimulation 
Lemma yields a transition C — — > C with C = D' Q . But C = D' Q and D' Q C D' together 
imply C 4D'. 
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e -transitions. Suppose that D — D'. Then D' = D + 1 for some t > 0, and, writing 
.Dq = Z?o + 1, we have -Dq C D'. By Corollary 14.81 there exists a configuration C" such that 

C C" and C = D' . But C" = and £>q C D' together imply C ^ D' . □ 
We are now ready to state one of our main results. 

Theorem 4.17. Let Abe a one-clock timed alternating automaton and let B be an Alur-Dill 
timed automaton. Then the language- emptiness problem 'Lf(A) = 0?' and the language- 
inclusion problem 'Lf(B) C Lf(A)?' are both decidable. 

Proof. Since a configuration of VV4 is accepting if it only mentions accepting locations of 
A, the set of accepting configurations of VV4 is downward-closed with respect to =3!. By 
Proposition 14.151 it is decidable whether an accepting configuration of VV4 is reachable 
from the initial configuration. In turn this entails, by Proposition 14.91 that it is decidable 
whether an accepting configuration of is reachable from the initial configuration. But 
this question is equivalent to language emptiness for A. This proves the first assertion 
of Theorem 14.171 The proof of the second assertion relies on the construction of a wsts 
representing the execution of B and A in parallel. We omit the details since we treat at 
length essentially the same construction in Section [8j where we consider a closely related 
language inclusion problem over infinite timed words. □ 

As noted earlier, these results have recently and independently been obtained by Lasota 
and Walukiewicz [25] , also building on our earlier paper [28] . 

5. Metric Temporal Logic 

In this section we define the syntax and semantics of Metric Temporal Logic (MTL). 
As discussed in the introduction, there are two different dense-time semantics for MTL: 
event-based and state-based, and for our concerns the difference is crucial. Following [16} l9j 
nUl ll8 t[T§ll35| . among others, we adopt an event-based semantics using timed words. A key 
observation about this semantics is that the temporal connectives quantify over a countable 
set of positions in a timed word. In contrast, the state-based semantics, adopted in, e.g., [TJ 
[21] I32j. associates a state to each point in real time, and the temporal connectives quantify 
over the whole time domain^ In the state-based semantics one can use a formula of the type 
□ (p «-» 0=i q) to specify a perfect channel, whereas in the event-based semantics the same 
formula only specifies a channel with insertion errors (see Section [7]). This observation helps 
understand why MTL is undecidable under the state-based semantics, whereas, at least over 
finite words, it is decidable in the event-based semantics (Theorem 16. 5p . 

In the event-based semantics the atomic propositions in MTL refer to particular events, 
and the temporal connectives quantify over future events. This offers a natural idiom for 
reasoning about real-time behaviours, as we demonstrate in Example 15. 4[ 

Definition 5.1. Given an alphabet E of events, the formulas of MTL are built up from £ 
by Boolean connectives and time-constrained versions of the next operator O an d the until 
operator U as follows: 

ip ::= a | true | (pi A (fi2 | ~«f | Ol <P | <fl Ui (fi2 , 

^The state-based semantics views MTL as a subset of the monadic first-order theory of the non-negative 
reals, while the event-based semantics views MTL as a subset of a monadic first-order theory of the naturals 
with timestamps [9]. 
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where a G X, and / C M>q is an open, closed, or half-open interval with endpoints in 
N U {oo}. If I = [0, oo), then we omit the annotation / in Ol an d Ui- We also use pseudo- 
arithmetic expressions to denote intervals. For example, the expression '> 1' denotes [1, oo) 
and '=1' denotes the singleton {1}. 

Additional temporal operators are defined following the usual conventions. We have 
the constrained eventually operator Oj ip = true Ui ip, and the constrained always operator 
□j ip = -iOj —up. We define a dual until operator via the standard duality: ip\ Ui ip2 = 
-i{-npx Ui ->ip2)- We also define the dual of the time-constrained next operator by O/ </> = 

- 0/ -vB 

Definition 5.2. Given a (finite or infinite) timed word p = (<r, r) over alphabet E, a word 
position i < |p|, and an MTL formula ip, the satisfaction relation (p,i) \= ip (read p satisfies 
ip at position i) is defined as follows: 

• (p, i) |= a iff <7j = a 

• (p, i) (= true 

• (p, i) \= ipi A ip 2 iff (p, i) h Pi and G°> ») H ^2 

• (ft,i) H iff ^ V 

• (/M) NO/^iff«< H, - Tj G / and (p,i + 1) |= <p 

• (p, i) |= <pi £Y/ ip2 iff there exists j, i < j < |p|, such that (p, j) |= ip2, Tj — r% G /, 
and (p, fc) |= (pi for all A; with i < k < j. 

For future reference it is also helpful to detail the semantics of the derived operators dual 
until and dual next: 

• (P: i) 1= Oif iff i = \p\ or Ti+i - ^ I or (p, i + 1) (= <p 

• (p, i) |= <pi ZY/ p2 iff for all j such that i < j < |p| and Tj —TiEl, either (p, j) \= ip2 
or there exists k with i < k < j and (p, fc) (= <pi . 

We say that p satisfies ip, denoted p |= <p, if (p, 1) |= <p. The set of finite models of an 
MTL formula ip is given by Lf(ip) = {p G TS* : p \= ip}. The set of infinite models of ip is 
given by L u (<p) = {p G T£" : p |= p}. 

Remark 5.3. Note that in the semantics of MTL, time is measured relative to the occur- 
rence of the first event of a timed word. In particular, the semantics is translation invariant: 
adding a fixed delay d to each timestamp in a timed word does not change whether that 
word satisfies a formula or not. For this reason Wilke [35 j restricts attention to timed words 
in which the first event has timestamp 0. In this case one can think of the first event as an 
initialisation event. 

Example 5.4. The following example illustrates the convenience of event-based reasoning 
in the real-time setting. Consider a set of events £ = {req i} acq^ rek : i = X, Y} denoting 
the actions of two processes X and Y that request, acquire, and release a lock. 

• n[acq x — > a <3 _,a cgy) says that Y cannot acquire the lock less than 3 seconds after 
X acquires the lock. 

• 0(acq x — ► relx U<3 -^acqy) says that Y cannot acquire the lock less than 3 seconds 
after X acquires the lock, unless X first releases it. 

• n(req x — ► ^<2{dcq x A = i rel x )) says that whenever X requests the lock, it ac- 
quires the lock within 2 seconds and releases it exactly one second later. 



Note that, unlike O i n LTL, Q 7 is not self-dual. 



16 



J. OUAKNINE AND J. WORRELL 



6. MTL over Finite Words 

In this section we consider the satisfiability problem for MTL over finite words: 'Given 
an MTL formula p, is LAip) nonempty?'. We also consider the following model- checking 
problem: 'Given an MTL formula p and an Alur-Dill timed automaton B, is it the case 
that Lf(B) C Lf(ip)?\ In both cases we show decidability by translating the MTL formulas 
into equivalent one-clock timed alternating automata and invoking Theorem 14.171 We also 
show that both problems have non-primitive recursive complexity. 

6.1. Translation to Automata. By using disjunction, falsity, dual until and dual next, 
in addition to the standard MTL connectives, every formula can be put into a negation 
normal form, in which negation is only applied to events a G S. Given an MTL formula 
ip in negation normal form, we define a one-clock alternating automaton A v such that 
L f (A„) = L f (ip). 

Definition 6.1. Define the closure of p, denoted cl(tp), as follows: 

• cl(p) contains an element (pmit, called the initial copy of p 

• cl(p>) contains each sub formula of p whose outermost connective is U or hi 

• for each subformula Q)i tp of p, cl(p) contains an element (0/ VO r > called the residual 
copy of 0/ 

• for each subformula O/ ^ °f V 9 ; c K ( fi) contains an element (0/ VO r > called the residual 
copy of 0/ i>- 

The closure cl(p) forms the set of locations of A v ; thus states of A v are pairs (tp,v), 
where tp G cl(p) and v is a clock value. We define the transition function 5 so that the 
presence of state (ip, 0) in a configuration during a run of Ap ensures that the input word 
satisfies ip at the current position. To enforce this requirement, when tp is encountered the 
automaton starts a fresh clock and thereafter propagates tp from configuration to configu- 
ration in the run until all the obligations that it stipulates are discharged. 

Definition 6.2. Let <p be an MTL formula in negation normal form. The automaton A v 
has set of locations cl(p). The initial location is pinit and the accepting locations are those 
elements of cl(p) of the form p>\ Ui pi or (Ojtp) r . In order to give a smooth recursive 
definition of the transition function 5, we define 5(tp, a) for all subformulas tp of p, not just 
those in cl(p). The definition is given by the following clauses, where a, b G S: 



Si'Pinit, 


a) 


= x.5(pj,a) 


5(tp! V tp 2 , 


a) 


= 6(ipx, a) V 5(ip2, a) 


5(tp! A tp 2 , 


a) 


= 5(ipi, a) A 5(tp2, a) 


S(tp! Ul tp 2 , 


a) 


= ((x.S(tp 2 ,a)) A x G /) V ((x.Sitp!, a)) A (tp! Wj r/> 2 )) 


S(tpx Ui tp 2 , 


a) 


= ((x.5(tp 2 , a)) V x £ I) A ((x.6(ipx,a)) V (V>i Ui tp 2 )) 


<5(OiV>, 


a) 


= x.(Onpy 


£(((W, 


a) 


= (x G I) A x.6(ip,a) 




a) 


= x.(Ojtpy 




a) 


= (x £ I) V x.S(tp,a) 
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5(b, a) 
£(-.&, a) 

Remark 6.3. Notice the connection between the notion of duality for MTL formulas and 
the notion of duality for transition functions (described in Subsection 13.20 . In particular, 

we have 5(ip\ Ui ip2, a) = 5(ipi Ui ip2, a) and £((Oi V0 r > a ) = <5((Oi i a )- 

Proposition 6.4. Given an MTL formula (p in negation normal form, Lj(A ip ) = Lf((p). 

Proof. We first show that Lf(A v ) C Lf(cp). To this end, let p = (a, r) be a timed word in 
Lf(Aip), with \p\ = n. As usual, write di = T{ — Tj_i for 1 < i < n. Suppose that A v has 
an accepting run on p: 

„ d\ „ <J\ „ d-2 ^ (72 cr n „ 
CO Ci ► C2 C3 > ■ ■ ■ ► U2n • 

We claim that for each subformula ip of <p and each i such that 1 < i < n, (p, i) \= ip 
whenever C21 |=o cr^ ) . We prove this claim by structural induction on ip. 

The base case, in which ip = a or ip = ->a for an atomic formula a G S, is immediate. 
The only non-trivial cases in the induction step are when the outermost connective of ip is 
a temporal modality. We consider the cases ip = 0/ ipi an d ip = V'l Mi the cases for the 
dual temporal connectives are similar. 

Case ip = Q)iip\. If C21 ^0 8(ip,Ui) then, since 5(ip,ai) = x.(Qi ip\) r , we must have 
((O-fV'i) 7 ) 0) € C2j. In turn, this entails that 6*24+2 |=o ^(^lj^i+l) and Tj+i — r» G J. By 
the induction hypothesis we have (p, j + 1) |= V'l) whence (p, i) \= O/ V>i- 

Case ip = ifii Ui ip2- Suppose C21 \=$ 5(ip,Oi). We consider two possibilities, corre- 
sponding to the two disjuncts in the definition of 5(ip,o~i). One possibility is that C2% \=§ 
S(ip2,o-i) and G /. In this case, by the induction hypothesis, we have (p,i) (= 1P2, whence 
(p, i) \= ip\ Ui ip2- On the other hand, we may have C21 \=o 6(ipi, Ui) and (ip, 0) G Cn. Then 
the definition of the transition function 5 ensures that for each successive value of j > i 
we have that C2j \= 5(ip\,Oj) and (ip,Tj — n) G C2j until at some point C2j \= 5(ip2,crj) 
and Tj — n G /. (Note that the latter must eventually occur since ip is not an accepting 
location.) Prom the induction hypothesis it is clear that this implies that (p, i) \= ip. This 
completes the proof of the claim. 

Having proved the claim, we observe that (ipi n u,0) G Co, and, since 8(ipi n it,(Ji) = 
x.5(tp,ai), we have C2 \=o 6(ip,o~i). Thus, applying the claim in case i = 1 and ip = <p, we 
immediately get that p \= (p. This completes the proof that Lf(A v ) C Lf(tp). 

It remains to show the converse inclusion: Lt(ip) C Lf(A v ). To this end, we show 
that, up to renaming of locations, A^ = (A^) c , that is, the automaton representing -199 
is the complement of the automaton representing ip. Indeed the set of locations of (A v ) c 
is the same as the set of locations of A ip . it is just cl((p). On the other hand, the set of 
locations of A-,u> is cl(—«p), which consists of the duals of the formulas in cl(ip). Thus the 
map sending a formula to its dual is a bijection between the locations of A-,u> and (A^) c . 
But now Remark 16.31 shows that the respective transition functions of A^ and (A^) c are 
identical (modulo the bijection between the respective sets of locations). 

Now, using the inclusion that we have just proved, we have 

TS* \ L f (A v ) = L S ((A V ) C ) = L f (A^ v ) C L f (^) = TS* \ L f {<p) . 
But this directly gives Lf(ip) C Lf(A ip ), which completes the proof. □ 



J true if a = b 

\ false if a ^ b 

J false if a = b 

I true if a 7^ b. 
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In conjunction with Theorem 14.171 Proposition 16,41 immediately yields: 

Theorem 6.5. The satisfiability and the model- checking problems for MTL over finite words 
are both decidable. 

7. Complexity 

In this section, using a result of Schnoebelen [33] about lossy channel systems, we prove 
that the satisfiability and model-checking problems for MTL have non-primitive recursive 
complexity. 

A channel machine consists of a finite-state automaton acting on an unbounded FIFO 
channel, or queue. More precisely, a channel machine is a tuple C = (S, M, A), where S is a 
finite set of control states, M is a finite set of messages, and AQSxT,xSis the transition 
relation over label set £ = {m!,m? : m G M}. A transition labelled ml writes message m 
to the tail of the channel, and a transition labelled m? reads message m from the head of 
the channel. 

We define an operational semantics for channel machines as follows. A global state of 
C is a pair 7 = (s,x), where s G S is the control state and x G M* represents the contents 
of the channel. The rules in A induce a S-labelled transition relation on the set of global 
states thus: (s,m\,t) G A yields a transition (s,x) (t,x ■ m) that writes m G M to 

the tail of the channel, and (s,m?,t) G A yields a transition (s,m-x) (t,x) that reads 
m G M from the head of the channel. If we only allow the transitions indicated above, 
then we call C an error-free channel machine. A computation of such a machine is a finite 
sequence of transitions between global states 

(s ,x ) (si,aci) • • • {s n ,x n ) . (7.1) 

We also consider channel machines that are subject to insertion errors. Given x, y G 
M* , write x Q y if x is a subword of y, i.e., x can be obtained from y by deleting any 
number of letters; for example, sub C stubborn, as indicated by the underlining. (This is 
a special instance of the monotone domination order introduced earlier.) Following [33J 
we model insertion errors by extending the transition relation on global states with the 
following clause: if (s,x) (t,y), x' C x and y C y' , then (s,x') (t,y'). Dually, we 
define lossy channel machines by adding a clause: if (s,x) (i,y), £ E x' and y' C y, 
then (s,x') -^-> (t,y'). The notion of a computation of a channel machine with insertion 
errors or lossiness errors is defined analogously to the error-free case, but with the extended 
transition relations. 

The control-state reachability problem asks, given a channel machine C = (S, M, A) and 
two distinct control states Si n u, Sfi n G S, whether there is a finite computation of C starting 
in global state (si n #,e) and ending in global state (sfi n ,x) for some x G M* . This problem 
was proved to be decidable for lossy channel machines by Abdulla and Jonsson [4]. Later 
Schnoebelen [33j showed that it has non-primitive recursive complexity. 

The dual control-state reachability problem asks, given a channel machine C = (S, M, A) 
and two distinct control states Si n it,Sfi n G S, whether there is a finite computation of 
C starting in control state (si n u,x) and ending in state (sfi n ,e), for some initial channel 
contents x G M*. 

Note that the difference between the control-state reachability problem and the dual 
control-state reachability problem depends on whether the initial or final channel is required 
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to be empty. This difference is significant. For instance, the control-state reachability prob- 
lem is trivial for channel machines with insertion errors. In this case there is a computation 
from (si n it,e) to (sfi n ,x) for some x £ M* iff there is a path from Smit to Sfi n in the under- 
lying control automaton. Indeed, given such a path we can always construct a matching 
computation of the channel machine by using insertion errors to ensure that every read- 
transition along the path is enabled. In contrast, for the dual control-state reachability 
problem we have the following result. 

Proposition 7.1. The dual control-state reachability problem for channel machines with 
insertion errors has non-primitive recursive complexity. 

Proof. Given a channel machine C = (S, M, A), the opposite channel machine is defined by 
C°p = (5,M,A°p) where 

A op = {(s, m\,t) : (t, ml, s) £ A} U {(s, ml, t) : (t, ml, s) G A} . 

Note that C has a computation from (s, x) to (t, y) with lossiness errors iff C op has a 
computation from (t,y op ) to (s,x op ) with insertion errors, where (— ) op : M* — > M* reverses 
the order of a word. Thus the dual control-state reachability problem for C with insertion 
errors is equivalent to the control-state reachability problem for C op with lossiness errors. 
But, as we mentioned above, this last problem is known to be decidable with non-primitive 
recursive complexity. □ 

Theorem 7.2. The satisfiability and model- checking problems for MTL over finite words 
have non-primitive recursive complexity. 

Proof. We give a reduction of the dual control-state reachability problem for channel ma- 
chines with insertion errors to the satisfiability problem for MTL. Let C = (S, M, A) and 
Sinit,Sfin £ S be an instance of the dual control-state reachability problem. The idea is to 
encode computations of C as timed words over the alphabet S = SU {ml, ml : m E M}. For 
instance, the computation (|7.ip is represented by a timed word whose sequence of events 
is so^osi • • .a n -is n . In this encoding the key idea is to choose timestamps that mirror 
the FIFO discipline of the channel. This is done by requiring that every write-event ml be 
followed one time unit later by a matching read-event ml. 

In the following we describe an MTL formula Breach that describes all timed words 
that encode computations of C starting in Smit and ending in state Sfi n with empty channel. 
Thus (p reach is satisfiable iff C is a positive instance of the dual control-state reachability 
problem. 

We use the formula (fcHAN, below, to capture the behaviour of a channel: every write- 
event is followed one time unit later by a matching read-event. However, there is no guar- 
antee that every read-event is preceded one time unit earlier by a write-event, so the channel 
may have insertion errors. 

fCHAN = AmeAf ^(ml -> =1 ml) . 
In order that there be no confusion in matching write-events with their corresponding 
subsequent read-events, we require that time be strongly monotonic (no two events can 
occur at the same time). This is captured by the formula (p sm- 

VSM = (O>o true) U -i O true ■ 
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We encode the finite control of C using the formula pcont- 

PCONT=/\{s^ \/ (OAOO*))- 

ses (s,/j,t)eA 

We then use if run to assert that a run must start in control state Si n u and obey the 
discrete controller until it terminates in control state Sfi n with empty channel: 

Prun = Sinn A (pcont U (s fin A -i O true)) . 

Finally, we combine all these requirements into preach- 

Preach = Pchan A psm A prun ■ 

Suppose we are given a timed word p satisfying preach] then we can construct a 
computation of C as follows. First, observe that p consists of an alternating sequence of 
events from S and events from {ml,m? : m G M}. This gives the sequence of control 
states and transitions in the desired computation; it remains to construct the contents of 
the channel at each control state. Suppose event s € S occurs at some point along p with 
timestamp t. Then the channel contents associated to this occurrence of s is the sequence of 
read-events occurring in p in the time interval (t,t+ 1). Observe how this definition ensures 
that a message can only be read from the head of the channel, and how each write-event 
adds a message to the tail of the channel. Finally, observe that any timed word satisfying 
Preach must have Sfi n as its last event; this ensures that the channel is empty at that 
point. 

Conversely, suppose we are given a computation of C, 

(so, x ) — >{si,xi) — > ■■■ — > (s n , x n ) 

with so = Sinit, s n = Sfi n and x n = e. We then derive a timed word p = (a, r) that satisfies 
Preach- We define a = so^o^i^i ■ ■ ■ s n ', this guarantees that p satisfies prun- It remains 
to choose a sequence of timestamps r such that pchan A psm is also satisfied. 

Since the given computation of C ends with the empty channel, every message that is 
written to the channel is eventually read from the channel. Thus for each write-event ml 
in a there is a 'matching' read-event m? later on. We choose the sequence of timestamps 
r so that each such matching pair is separated by one time unit. This captures the FIFO 
discipline of the channel: messages are read from the channel in the same order that they 
were written to the channel. Formally we choose the Tj sequentially, starting with t\ = and 
maintaining the following invariant: t,- l is chosen such that for each matching pair aj = ml 
and <7fc = m?, if j < k = i then Tj — Tj = 1, and if j < i < k then Tj — Tj < 1. It is clearly 
possible to do this using the density of time. 

Thus a channel machine C = (S,M,A) and pair of control states Si n i t ,Sfi n <G S is a 
positive instance of the dual reachability problem iff the formula preach is satisfiable. 
This shows that the satisfiability problem for MTL has non-primitive recursive complexity. 

Finally, consider a universal Alur-Dill timed automaton, i.e., one that accepts all finite 
timed words. Model checking this automaton against a given MTL formula is equivalent 
to asking whether the formula is valid, i.e., whether its negation is unsatisfiable. The 
complexity of model checking MTL is therefore also non-primitive recursive. LJ 
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8. Infinite Words: Safety MTL 

In this section we adapt constructions from Section 0] to prove the decidability of the 
model-checking problem over infinite words for a subset of MTL, called Safety MTL. Safety 
MTL consists of those MTL formulas whose negation normal form only includes instances 
of the constrained until operator Ui in which interval / has bounded length. Note that no 
restrictions are placed on the dual- until operator Ui. 

Safety MTL can express time-bounded response properties, but not arbitrary response 
formulas. For instance, the formulas ip\ = n(a — > 0=i b) and <p 2 = 0(a — > 0<^(b A 0=x c)) 
are in Safety MTL, but (p3 = is not. Note in passing that, intuitively, cp 2 is much harder 
to model check than p\. To find a counterexample to (p\, one need only guess an a-event, 
and check that there is no 6-event one time unit later — a task requiring only one clock. On 
the other hand, to find a counterexample to (p 2 one must not only guess an a-event, but 
also check that every 6-event in the ensuing five time units fails to have a matching c-event 
one time unit later — a task requiring a potentially unbounded number of clocks. 

To explain the name Safety MTL, recall from |17j that a language L C T£ w defines a 
safety property relative to the divergence of time if for every p L there exists n £ N such 
that no infinite timed word in TE W extending p[l . . . n] is contained in L. In this case we 
say that p[l . . . n] is a bad prefix of p. 

Proposition 8.1. For every Safety MTL formula ip, Lu{<p) is a safety property relative to 
the divergence of time. 

Proof. It is straightforward to prove this result by structural induction on ip. However, we 
do not give details since we do not use this result in the sequel and since, in any case, it 
follows directly from Proposition 18.21 and Proposition 18.31 □ 

To model check a Safety MTL formula <p on an Alur-Dill automaton B we need only 
check whether any of the bad prefixes of (p are prefixes of words accepted by £>. We can 
do this by invoking a variant of the idea used in the proof of Theorem 14.171 To set up 
this model-checking procedure we first define a translation of <p into a one-clock alternating 
automaton A s ^ e in which every location is accepting. 

A s ^ e is a modification of the automaton A v from Section 16.11 A^ e has the same 
alphabet, locations and initial location as A v , but we declare every location of A s ^ e to be 
accepting. To compensate for this last change, we modify a single clause in the definition 
of the transition function 5 — the clause for ip\ Uj tp 2 — as indicated below. 

5(ipi Ui (p2,a) = ((x.8(ip 2 ,a)) A x e /) V 

((x.5(pi,a)) A Oi Ui ip 2 ) A (x < sup(J))) . 

Intuitively, the above definition uses a 'timeout' rather than an acceptance condition to 
ensure that the second argument of Uj eventually becomes true. In a non-Zeno run, the 
automaton cannot get stuck forever in location ip\ Ui (p 2 since the clock constraints in the 
definition of S(ipi Uj (p2,a) only allow transitions when the value of clock x is no greater 
than sup(I). 

Recall that so far we have only considered alternating automata on finite words. In 
order to state the correctness of the definition of A s ^ e we consider runs of timed alternat- 
ing automata on infinite words. Our task is simplified by the fact that we only consider 
automata in which every location is accepting. (Technically this means that, as with au- 
tomata over finite words, we can elide the tree structure that is usually associated with runs 
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of alternating automata.) Suppose then that A is a timed alternating automaton in which 
every location is accepting. A run of A on an infinite timed word p = (a, r) is an infinite 
alternating sequence of time delays and discrete steps in T4: 

11 „ ill ^ CT2 d n CT„ 

Uo t>l > 1^2 ^3 ► ••• ~* C/2n-l ► • • • , 

where Co is the initial configuration and di = Ti — Ti_i. We define Lu,(«4.) to be the set 
of non-Zeno timed words p G TT^ over which ^4 has a run. (Since every location of A is 
accepting, there is no need to consider an acceptance condition here.) 

Proposition 8.2. L w {ip) = L w {A s ^ e ) for each Safety MTL formula cp. 

Proof. The proof of Proposition 16.41 carries over almost verbatim to the present setting. 
Referring to the details of that proof, the only change is to observe that it is the 'timeout' 
in the definition of a"(y>\ Ui (f2,a), rather than the fact that ipi Uj (p2 is non-accepting, 
that ensures that whenever (y>\ Uj ^2,0) lies in some configuration Cn in a run, then there 
exists j > i such that C^j |= 5(ip2,crj). □ 



8.1. The Model-Checking Procedure. In this section, let B be an Alur-Dill timed au- 
tomaton with n clocks, and let A be a one-clock alternating automaton in which every 
location is accepting. We describe a decision procedure for the model-checking problem 
L L U {B) C L w {Ayi\ Combining this procedure with Proposition 18.21 gives a method for 
model checking Safety MTL formulas on Alur-Dill automata. 

The following proposition enables us to decide whether L U (B) C L U} (A), while only 
considering finite runs of A. The idea is that for any word p G TT^ \ L UJ (A), there is a 
finite bad prefix p[l . . . n] none of whose (non-Zeno) extensions lies in L^(A). 

Proposition 8.3. Let A be a timed alternating automaton in which every state is accepting. 
Then p G TY> U \ L^A) iff there exists n £ N such that p[l . . . n] £ L f (A c ). 

Proof. We first consider the 'if direction. Suppose that p[l . . . n] G ^/(^4 C )E3 By Propo- 
sition 13.71 there can be no run of A on the finite word p[l . . . n]. (Any such run would be 
accepting, since every location of A is accepting.) A fortiori there can be no run of A on p. 

Now we show the 'only if direction. If p G" L U} (A) then A does not have a run on p. 
Moreover we observe that for each n > 1 there are only finitely many ways to extend a 
run of A on the finite prefix p[l . . . n] to a run on p[l . . . (n + 1)]. Thus, by Konig's lemma, 
there exists n G N such that A does not have a run on p[l . . . n]. For this choice of n the 
complement automaton A c accepts p[l ...n]. □ 

From this point on, the explanation of the model-checking procedure closely follows 
Section [H In fact, the remainder of this section recapitulates definitions and propositions 
from Section HJ mutatis mutandis. Briefly, the main difference between Section [5] and the 
present section is that rather than just considering a wsts generated by a timed alternating 
automaton, we consider a wsts generated by the timed alternating automaton A c and the 
Alur-Dill automaton B executing in parallel. We reduce the language emptiness problem 
l Lu{B) n L^A ) = 0?' (which is equivalent to 'L U (B) C L^A)?') to reachability on this 
wsts. 



Note that since none of the locations of A c is accepting, A c can only accept a word by moving to the 
empty configuration. 
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Denote by c max the maximum clock constant appearing in A and B, and let Val = 
[0, c max ] U {T} be a set of clock values appropriate to A and B. Recall that a state of B 
is a pair 7 = (s,v), where s is a location of B and v G Val™ is a clock valuation. Define a 
B-A c - configuration to be a pair (7, C), where 7 is a state of B and C is a configuration of 
,A C . Following the pattern of Definition 14.41 we define a labelled transition system Tba c j 
representing ,B and A c executing in parallel. 

Definition 8.4. The set of states of T~b,a c is the set of i3-*4 c -configurations. Following 
Definition 14.41 we define an (M>o)-labelled delay-step transition relation by (7,C) (7 + 
t,C + t) for t > 0, and a S-labelled discrete-step transition relation by (7, C) — (7', C) if 
7 — 7' in 7g and C — C in T4C, where a G E. 

A configuration (7, C) of 7g is said to be initial if 7 is the initial state of B and 
C is the initial configuration of A c . Recall that A c can only accept a word by moving to 
the empty configuration. Thus a timed word p G L^iJS) fails to lie in L W (A) iff there is a 
computation of A c on a finite prefix of p that reaches 0. Motivated by this observation, we 
say that a B- ^-configuration (7, C) is doomed if C = (i.e., ^4 C has reached an accepting 
configuration) and B can accept some infinite non-Zeno word starting in state 7. Then 
Luj(B) <2 L U (A) iff there is a doomed configuration (7,0) that is reachable from the initial 
configuration of Tb,A c ■ Below we sketch how we can use Theorem 14.151 to prove that this 
reachability problem is decidable. 

To set up the application of Theorem 14.151 we reuse constructions from Section H] to 
show that Tb,A c contains a sub-transition-system yVs,A c that is a wsts. The first step is to 
adapt the notion of the time successor of a configuration to the present setting. 

Definition 8.5. Let (7, C) be a i5-.4 c -configuration, where 7 = (s,v), and let E = {vi : 

1 < i < n} U {v : (t, v) € C} be the set of clock values appearing in (7, C). Write 
p = max {frac(v) : v 6 E} for the maximum fractional part of the clock values in E. Now 
define the time successor of (7, C) to be the configuration next("f, C) = ( , y + d,C + d), where 
d = (1 — p)/2 if E contains an integer, and d = 1 — p otherwise. 

Definition 8.6. Define the labelled transition system Wb,A c as follows. 

• Alphabet. The alphabet of Wb,a c is S U {e}. 

• States. The states of Wj3,A c are those configurations (7, C) in which all clock values 
are rational (henceforth call such configurations rational). 

• Transitions. Each configuration (7, C) makes a unique e-transition to its time 
successor next{^,C). For a G S, we declare that (7, C) (7', C) in Wb,a c iff 
( 7 ,C)^( 7 ,C7')inT^ c . 

Continuing to shadow the development in Section [H we adapt the Bisimulation Lemma, 
Lemma 14.71 to the present setting. We define an equivalence relation = on B-A c configura- 
tions that abstracts away from precise clock values, recording only their integer parts and 
the relative order of their fractional parts. 

Definition 8.7. Suppose that (7,C) and (7', C") are B-A c configurations such that 7 = 
(s, (ui,.. .,«„)), i = (s', (v[,.. .,v' n )), C = {(si,Ui)} ie j and C = {(sj,tt<)} <e j. (In particu- 
lar, we require that C and C have the same cardinality.) Then we define (7, C) = (7^ C) 
if the following hold, where IX G {<,=,>}: 

• s = s' and sj = s[ for each i G I 
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• Ui ~ u[ for i £ I and Vj ~ v'a for j E {1, . . . , n} 

• frac(ui) cxi frac(uj) iff f racing) ex frac(u'j) for i,j E / 

• frac(vi) ex frac(vj) iff frac(v ■) cxi frac(v'j) for i,j e {1,..., n} 

• frac(ui) ix frac(vj) iff frac(u'j) cxi frac(v'j) for i E I, j E {1, . . . , n}. 

The first four clauses of this definition ensure that (7, C) = (7',C") implies that 7 
and 7' are region equivalent in the sense of [5] and that C = C" in the sense of Definition 
14.61 However Definition 18.71 doesn't just involve comparing fractional parts among the clock 
values in C, and separately among the clock values in 7: the fifth clause compares between 
values in 7 and values in C. This is essential for = to be a congruence with respect to the 
time-successor operation, as the following example shows. 

Example 8.8. Let (7, C) and (7, C) be B-A c configurations, with 7 = (s, (1.1,0.6)), C = 
{(si,0.5)} and C = {(si,0.7)}. Note that C = C (cf. Definition S1J]) and so, without the 
final clause in Definition 18.71 we would have (7,C) = (7,6"). But it is clearly the case 
that next{^,C) ^ next{^,C). In fact, next{^,C) has the form (j',D) for some 7' with 
D = {(si,0.9)}, while next(j, D') has the form (n,D ! ) for some r\ with D' = {(si,l)}. 

Lemma 8.9 (Bisimulation Lemma). Suppose that (7, C) and (77, D) are B-A° configurations 
such that (7,C) = (n,D). Then for each transition (7, C) (7', C), with a E S U {e}, 
there exists a configuration (r]',D') such that (n,D) -^-> (r]',D') and (7', C") = (r/',D'). 

Proof. The proof is almost identical to that of Lemma 14.71 □ 

Proposition 8.10. // configuration (7, C) is reachable from the initial configuration in 
Tb,a c > then there is a rational configuration (7', C), with (7, C) = (7', C), such that (7', C) 
is reachable from the initial configuration in Wg,^ . 

Proof. The proof is almost identical to that of Proposition 14.91 □ 

To complete the correspondence with Section HI it remains to show that Wb,a c is a 
wsts. As we now explain, this requires a slight variation of the construction used in Propo- 
sition I4TTH1 

Suppose that A has set of locations S and that B has set of locations T, where S and 
T are disjoint. Define a finite alphabet A to be the set of non-empty subsets of ((T x 
{1, . . . , n}) U S) x REG, where REG is the set of clock regions as defined in Subsection 14.11 
Following Definition 14.111 an abstract B-A c -configuration is a finite word over A. 

We reuse the abstraction function H from Section |4] to map ^-^-configurations to 
abstract configurations as follows: map a configuration ((s,v),C) of Tb,A c to the word 
H({((s, 1), vi), . . . , ((s, n), v n )} U C) E A*. From this word we can reconstruct all clock 
values in ((s,v),C) up to the nearest integer and also the relative order of the fractional 
parts of the clocks. As in Proposition 14.131 this observation implies that the kernel of H 
agrees with the notion of equivalence of B- ^-configurations, that is, (7, C) = -ff (7', C) 
implies ( 7) C) = {i,C). 

Proposition 8.11. Define a quasi-order on B-A c -configurations by (7, C) ^ (7',C") iff 
H(j,C) C H(j',C), where Q refers to the subword order on A*. Then Ws,A c * s a ws ts 
when equipped with this quasi-order. 



Proof. The proof is almost identical to that of Proposition 14.161 



□ 
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Theorem 8.12. Let B denote an Alur-Dill automaton, and A a one-clock alternating au- 
tomaton in which every state is accepting. Then the language inclusion problem i L UJ (B) C 
Lu>(A)?' is decidable. 

Proof. The inclusion L UJ (B) C L UJ (A) holds iff it is not possible to reach a doomed state from 
the initial state in Wb,a c - Now the set of doomed states in Wb,A c ls trivially downward- 
closed with respect to the monotone domination order (recall that (7, C) is doomed only 
if C = 0). The set of doomed states is also decidable: to decide doom of (7,0) we have 
to check whether B can accept a non-Zeno timed word starting from 7. This last problem 
is essentially the language-emptiness problem for Alur-Dill automata over infinite timed 
words, which is well-known to be decidable — see [5]. Theorem 14,151 now yields a decision 
procedure for the language inclusion question 'L w (£>) C L w (^4)?'. □ 

Corollary 8.13. The model- checking problem for Safety MTL over infinite words is decid- 
able: given an Alur-Dill automaton B and a Safety MTL formula ip, there is an algorithm 
to decide whether or not L UJ {B) C L^ (</?). 

Proof. Apply Theorem 18.121 in case A = A^ e , using the result of Proposition 18.21 that 
LM=L w (Af e ). □ 



9. Conclusion 

In this paper, we have shown that Metric Temporal Logic is decidable over finite timed 
words in its standard dense-time, point-based semantics, with non-primitive recursive com- 
plexity. Over infinite words, we have shown that the important safety fragment of Metric 
Temporal Logic can be model checked. 

To prove the decidability results above, we introduced the class of timed alternating au- 
tomata, and showed that the language-emptiness problem for one-clock timed alternating 
automata over finite words is decidable. In the words of [21], one-clock timed alternat- 
ing automata constitute a fully decidable specification formalism for timed languages in 
that they are closed under all Boolean operations and language emptiness is decidable. In 
contrast to Alur-Dill timed automata, one-clock timed alternating automata do not admit 
finite untimed quotients. In fact, it is straightforward to define a one-clock timed alternat- 
ing automaton A such that the untimed language obtained from Lj(A) (by forgetting all 
timestamps) is the classic non-regular language {a n b m : < n < m). Reflecting this fact, 
the termination proof for our language emptiness algorithm used a well-quasi-order derived 
from Higman's Lemma. 

The focus of this paper has exclusively been on MTL over finite words. Recently we 
have obtained both positive and negative decidability results for MTL over infinite words. 
In particular, we have shown that the satisfiability problem for Safety MTL is decidable [31] . 
whereas the satisfiability problem for MTL is undecidable [30]. Thus restricting to safety 
properties is crucial to obtaining decidability. 
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